Exchange Admins can create O365 Groups? even is locked down to a particular group?

Silver Contributor

We have a set AAD Group that can create O365 Groups and a process to request Groups to be created.

 

However, we also have a set of users around the globe that are Exchange Admins (not global admins).  One of these users can create O365 Groups - specifically from Power BI.

 

Is this supposed to be happening, or does Power BI not respect the group creation rules?

8 Replies

Yes, the restrictions don't apply to admin roles.

Interesting...does it apply to any admin role in Office 365?
Haven't tried the other admin roles. I did confirm the restrictions do apply to the exchange admins everywhere EXCEPT powerBI.

So maybe only the Global admin roles bypass the restrictions, and the workload-specific ones are still subject to them? With PowerBI being a straggler, as usual.

Nah, restrictions even apply to Global Admins, we have 3 global admins, and only 2 of them can create Groups.

In any case, yes to PowerBI straggling.

Um, that shouldn't be the case, admins should still be able to use the relevant admin controls to create/manage Groups.

 

Do you perhaps mean that this happens when they try to create a Group form within Outlook/OWA/any of the "client" endpoints? If so I believe this is the expected behavior, however the admin portal/PowerShell/etc should still allow admins to create new groups.

 

Just to make sure we're on the same page I dug out the documentation:

 

Spoiler

The steps in this article don't prevent members of the following roles from creating Office 365 Groups in the Office 365 admin center. However, it does prevent them from creating Office 365 Groups from the apps and it prevents them from creating teams (because you can't create teams in the Office 365 admin center).


Office 365 Global admins


Mailbox Administrator


Partner Tier1 Support


Partner Tier2 Support


Directory Writers

If you're a member of one of these roles, you can create Office 365 Groups for restricted users, and then assign the user as the owner of the group.

From here: https://support.office.com/en-us/article/Manage-who-can-create-Office-365-Groups-4c46c8cb-17d0-44b5-...

 

Haven't had them try from the admin portal but yes I am specifically referring to the various user interfaces (outlook, owa, planner, etc)

The rules of the game are that admins can create Groups using admin interfaces like EAC, Office 365 Admin Center, or PowerShell. If the policy doesn't allow them to create groups, they will be blocked if they try using an end-user client.

 

As to Power BI (or any client), it must include code to query the Groups policy to know who can create new groups. AFAIK, Power BI has not done the work to include the code.